I use a 4096 byte RSA PGP key; since SSH also uses the RSA standard, is it at all possible to use the PGP key as an SSH key without installing additional software on the server (and as little as possible on the client)?
gpg2 on Debian comes with a gpgkey2ssh tool, and gpg-agent can act as a ssh agent too, but I couldn't figure out how to actually make ssh use the key for authentication.
With the information from the answers on this question and the help of the gnupg-users mailinglist I was able to figure out how to use my GPG key for SSH authentication. There are a few possible methods to do this.
To summarize:
Either you use GnuPG 2.1, which is currently in beta. When using this version, you can simply start gpg-agent with the --enable-ssh-support option and add the keygrip for you GPG key (or subkey) into ~/.gnupg/sshcontrol.
When you are using the current stable GnuPG version (2.0.x) you can use monkeysphere to add your key to gpg-agent (again, after starting gpg-agent with the --enable-ssh-support option).
It is also possible to use GNOME keyring (or even the regular ssh-agent) with the help of monkeysphere. The only problem in this case is that you will have to re-add your key when logging on again (into Gnome or XFCE). To solve this you can manually export your key and convert it.
Enter again the encryption password as before to decrypt it. Then enter new password which should be used to protect .p12 file. If your /tmp folder resides on RAM like mine, you can leave it blank as it will be safely wiped after reboot.
Convert it to ssh friendly format
In addition it requires stripping first 4 lines of the output, so that it starts with ---BEGIN PRIVATE KEY---
There are several ways, which may or may not work:
gpg2
on Debian comes with agpgkey2ssh
tool, andgpg-agent
can act as a ssh agent too, but I couldn't figure out how to actually make ssh use the key for authentication.SSH2 Version 2.0.13 introduced support for PGP authentication.
excerpt from SSH The Secure Shell
With the information from the answers on this question and the help of the gnupg-users mailinglist I was able to figure out how to use my GPG key for SSH authentication. There are a few possible methods to do this.
I have written a blogpost about some possible solutions: http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key
To summarize: Either you use GnuPG 2.1, which is currently in beta. When using this version, you can simply start gpg-agent with the --enable-ssh-support option and add the keygrip for you GPG key (or subkey) into ~/.gnupg/sshcontrol.
When you are using the current stable GnuPG version (2.0.x) you can use monkeysphere to add your key to gpg-agent (again, after starting gpg-agent with the --enable-ssh-support option).
It is also possible to use GNOME keyring (or even the regular ssh-agent) with the help of monkeysphere. The only problem in this case is that you will have to re-add your key when logging on again (into Gnome or XFCE). To solve this you can manually export your key and convert it.
This document shows how to do it on the SSH.com client; I am not sure that it works on OpenSSH but it might be worth a shot.
Export private SSH key from GPG without additional software installation
Find a keygrip of desired private key
Import it into a new temporary gpgsm keyring
Convert the key to pkcs12 format
Enter again the encryption password as before to decrypt it. Then enter new password which should be used to protect .p12 file. If your /tmp folder resides on RAM like mine, you can leave it blank as it will be safely wiped after reboot.
Convert it to ssh friendly format
In addition it requires stripping first 4 lines of the output, so that it starts with ---BEGIN PRIVATE KEY---
There you have your sshkey ready to use by ssh client. Hope this helps, for me it was neccesary as I was not able to install monkeysphere.